CVE-2023-44154
📋 TL;DR
CVE-2023-44154 is an authorization bypass vulnerability in Acronis Cyber Protect 15 that allows unauthorized users to access and manipulate sensitive information. This affects Acronis Cyber Protect 15 installations on both Linux and Windows platforms. Organizations using affected versions are vulnerable to data exposure and unauthorized system modifications.
💻 Affected Systems
- Acronis Cyber Protect 15
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of backup data including exfiltration, deletion, or encryption for ransom, potentially affecting all protected systems and data.
Likely Case
Unauthorized access to sensitive backup data, configuration information, and potential manipulation of backup schedules or retention policies.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring in place to detect unauthorized access attempts.
🎯 Exploit Status
Exploitation requires network access to the management interface but does not require valid credentials due to the authorization bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 35979 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-2436
Restart Required: Yes
Instructions:
1. Download the latest version from Acronis support portal. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart Acronis services. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Acronis management interface to only authorized administrative systems.
Enhanced Monitoring
allImplement strict monitoring of access to Acronis management interface and backup operations.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Acronis management interface
- Enable detailed logging and monitoring for all access to backup systems and review logs daily
🔍 How to Verify
Check if Vulnerable:
Check the Acronis Cyber Protect version in the management console or via command line: On Windows: Check program version in Control Panel. On Linux: Check installed package version.Check Version:
Windows: Check Add/Remove Programs for version. Linux: rpm -qa | grep acronis or dpkg -l | grep acronisVerify Fix Applied:
Verify the installed version is build 35979 or later in the management console or via version check commands.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to management interface
- Unusual backup operations or configuration changes
- Access from unexpected IP addresses or users
Network Indicators:
- Unusual traffic patterns to Acronis management ports (default 9876, 443)
- Connection attempts from non-administrative networks
SIEM Query:
source="acronis_logs" AND (event_type="unauthorized_access" OR user="unknown" OR src_ip NOT IN admin_networks)